From 28646fa9c74b94722eadd7bc2d9c285245aded80 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 20 Dec 2017 21:14:06 +0000
Subject: DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode

Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
---
 test/scripts/5840-DANE-OpenSSL/5840 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'test/scripts/5840-DANE-OpenSSL')

diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index 7d86621cc..b1ea2f307 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -111,4 +111,19 @@ Testing
 ****
 #
 killdaemon
+
+
+### A server with a name not matching the cert.  TA-mode; should fail
+exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
+****
+exim -odf CALLER@danebroken7.example.com
+Testing
+****
+#
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+exim -odf CALLER@danebroken8.example.com
+Testing
+****
+#
+killdaemon
 no_msglog_check
-- 
cgit v1.2.3